User Tools

Site Tools


maintenance:general:installing_netyce_on_rhel7

Installation NetYCE on RHEL 7

This installation guide installs NetYCE version 7.x on a Redhat 7 or Centos 7 physical or virtual x86_64 platform.

References to EL or RHEL refer to RedHat Enterprise Linux or CentOS Linux. All OS versions and packages are required to use the x86_64 architecture, that is x86 processors running 64-bit. The installation applies to both physical and virtual platform deployments.

Introduction

The choice of operating system (Redhat or CentOS), disk filesystem layout, installed packages, and security hardening are mostly defined by the customers common practice. NetYCE does have some requirements on disk-usage and directory-trees that may warrant filesystem allocations, and we do rely on a specific functional user, yce that requires some sudo permissions.

A basic set of packages should be installed which will later be amended by specific NetYCE software. The basic OS installation can easily be realized by the customer, but we recommend the NetYCE software installation and configuration to be a joint effort.

During the first install of the NetYCE software packages, the configuration preferences and details of the NetYCE system and its architecture will be defined and initialized. Subsequent software upgrades and patches can be installed by the application manager using the NetYCE front-end without requiring system privileges. Only on some major upgrades will those be required.

The NetYCE software installation consists of two self-installing packages, YCE and YCEperl, a sample database and a license file. The installation depends on MariaDB (mysql server), apache (http server), fping and some standard distribution packages (openssl, tftp, ftp, ssh, telnet, gtar, etc). Mysecureshell is a non standard distribution package we use for sftp jail functionality.

System specification

The hardware requirements of NetYCE are moderate by itself although much depends on the intended level of use and the application architecture selected.

In general we suggest to deploy two NetYCE servers in different data centers attached to Network Management (NMS) networks. These systems will provide both front-end (user and network facing) functions AND a database function. These functions can be configured to provide live failover and backup services by means of master-master replication. The front-end functions support 10-20 simultaneous users and can execute several thousand config changes per hour.

For such deployments a physical or virtual x86 server needs to have at least two CPU cores and 4 GB of memory, but 4 cores and 8 GB memory is recommended.

Disk space can be local or SAN based and should not exceed 50 GB. This disk space is allotted to a single filesystem or split across several, depending on system management preferences.

The NetYCE directory structure uses several trees for various functions. Assigning the mysql, shared and working/logs trees individual filesystems is recommended.

/ - 3 to 6 GB (OS root, bin, usr, lib, opt, etc)
/opt/yce - 100 MB
/opt/nms - 100 MB
/opt/ycelib - 500 MB
/var/opt/yce - 3 to 6 GB (logs and working data)
/var/opt/shared - 6 to 12 GB (tftp, os-files)
/var/opt/mysql -  4 to 8 GB (mysql data)

Verifications and preparations

SElinux

verify SELinux is not active:
$ cat /etc/selinux/config
⇒ preferred SELINUX=disabled
⇒ workable SELINUX=permissive

In case it's set to enforcing, edit /etc/selinux/config

change SELINUX=enforcing to SELINUX=disabled and reboot the VM otherwise it doesnt take effect.

Make sure to have a hostname set, and check the output of the commands below

Hostname

hostnamectl set-hostname rhel7.netyce.org
[root@localhost ~]# uname -i
x86_64

verify ip settings:
$ hostname
⇒ hostname (pref not fqdn)
$ hostname --domain
⇒ domain name
$ hostname --ip-address
⇒ one (1) ip-address of the local interface
correct using 'setup'
correct in /etc/hosts

DNS

verify dns is configured:
- update /etc/resolv.conf is needed
- test using nslookup of a device (in case of installing on a minimal installation, you'll need to install bind-utils first using yum)
- check search path and domain

Openssl

verify openssl is installed:
$ openssl
⇒ must start, then type 'quit'

Rpm

verify rpm is functional:
- e.g. # rpm -v

Valid release

verify a valid RedHat (or Centos) release is present.
$ cat /etc/redhat-release

⇒ Supported RHEL7 release is 7.6

To update a release to the latest RHEL7, connect the server to the internet and use the command (as root):
# yum update
When completed, reboot and verify using:
$ cat /etc/redhat-release

Note: During the install or updates, yum might (re-)enable 'firewalld'!
If your system's firewalld is not configured, the default setting will only allow SSH connections and block all others, including httpd, mysql, yce_xch, yce_sched, etc.

Firewalld

To disable 'firewalld':

systemctl stop firewalld
systemctl disable firewalld

Timezone

Set timezone

/etc/sysconfig/clock – add UTC=yes for Hypervisors that do not set the hwclock to UTC time

ZONE="Europe/Amsterdam"
UTC="yes"

/etc/sysconfig/ntpdate – set option to keep hw-clock in sync after ntpdate adjustment

SYNC_HWCLOCK=yes

Set locales

add the following lines to /etc/environment

LANG=en_US.utf-8
LC_ALL=en_US.utf-8

Filesystems

Some customer linux sytems have a filesystem setup where most applications subtrees have their own volume. The sizes need to be adjusted to match the required size. Use the command:
# lvextend -L <size> -r <fs-device>

On the filesystems below.

Check with the df -h command the actual device name

 mountpoint              size     device
/opt/nms
/opt/yce
/opt/ycelib            2G          /dev/mapper/vg.appl-lv.optycelib
/var/opt/yce           2G          /dev/mapper/vg.appl-lv.varoptyce
/var/opt/mysql         5G          /dev/mapper/vg.appl-lv.varoptmysql
/var/opt/shared        5G          /dev/mapper/vg.appl-lv.varoptshared

Typical systems are setup with separate filesystems for:

/opt                  10G
/var/opt/mysql         5G
/var/opt/shared        5G

Prerequisites for installation

Make sure to have the following available on your VM:

The yceperl binary, YCE binary, your yce_license and a NetYCE database if applicable.

NetYCE installation

Yum packages to install from default repository

Install the following packages from the default repository using yum, we will install other packages from non standard repo's in this guide:

rhel7_packages.txt
SDL 
apr 
apr-util 
at 
atlas 
autofs 
autogen-libopts 
avahi-libs 
bc 
bind-libs 
bind-utils 
bison 
blas 
blktrace 
boost-date-time 
boost-program-options 
boost-system 
boost-thread 
bridge-utils 
byacc 
bzip2 
centos-indexhtml 
cmake 
crda 
crypto-utils 
cryptsetup 
cscope 
ctags 
cyrus-sasl-plain 
desktop-file-utils 
diffstat 
dmraid 
dmraid-events 
doxygen 
dstat 
dwz 
dyninst 
ed 
efivar-libs 
elfutils 
emacs-filesystem 
epel-release 
flex 
fontconfig 
fontpackages-filesystem 
fribidi 
ftp 
galera 
gdbm-devel 
gettext-common-devel 
gettext-devel 
gnutls 
gpg-pubkey 
gpm-libs 
graphite2 
gsm 
gssproxy 
harfbuzz 
hdparm 
hesiod 
hicolor-icon-theme 
httpd 
httpd-manual 
httpd-tools 
indent 
iotop 
ius-release 
jbigkit-libs 
kernel 
keyutils 
keyutils-libs-devel 
krb5-devel 
lapack 
ldns 
libarchive 
libbasicobjects 
libcollection 
libcom_err-devel 
libdwarf 
libevent 
libfprint 
libgfortran 
libini_config 
libjpeg-turbo 
libkadm5 
libmodman 
libnfsidmap 
libnl 
libogg 
libpath_utils 
libpcap 
libproxy 
libquadmath 
libref_array 
libselinux-devel 
libsepol-devel 
libsndfile 
libtar 
libtheora 
libtirpc 
libusbx 
libverto-devel 
libverto-libevent 
libvorbis 
libwayland-server 
libxml2-python 
libzip 
lsof 
m4 
mailcap 
mailx 
man-pages 
man-pages-overrides 
mdadm 
mlocate 
mod_nss 
mod_ssl 
mod_wsgi 
mokutil 
mpfr 
mtr 
neon 
net-snmp-libs 
net-snmp-utils 
nettle 
nfs-utils 
nfs4-acl-tools 
nscd 
nss-pam-ldapd 
ntp 
ntpdate 
ntsysv 
numactl 
numpy 
openldap-clients 
openssl-devel 
oprofile 
pakchois 
patch 
patchutils 
pciutils 
pcre-devel 
perf 
php 
php-cli 
php-common 
pixman 
psmisc 
pygobject2 
pyparsing 
python-augeas 
python-backports 
python-backports-ssl_match_hostname 
python-chardet 
python-ipaddress 
python-kitchen 
python-nose 
python-setuptools 
python-six 
python2-futures 
quota 
quota-nls 
rcs 
redhat-rpm-config 
rpcbind 
rpm-sign 
rsync 
satyr 
sg3_utils-libs 
sgpio 
sos 
swig 
systemd-python 
tcp_wrappers 
tcsh 
telnet 
tftp 
theora-tools 
time 
tmpwatch 
traceroute 
trousers 
unbound-libs 
unzip 
usermode 
vim-common 
vim-enhanced 
vim-filesystem 
vsftpd 
wget 
xdg-utils 
xmlrpc-c 
xmlrpc-c-client 
xz-lzma-compat 
yum-utils 
zip 
zlib-devel

Fping

yum -y install https://centos7.iuscommunity.org/ius-release.rpm
yum -y install fping

MySecureShell

echo "[mysecureshell]
name=MySecureShell
baseurl=http://mysecureshell.free.fr/repository/index.php/centos/6.4/
enabled=1
gpgcheck=0" > /etc/yum.repos.d/mysecureshell.repo
yum -y install mysecureshell

Install MariaDB

cat > /etc/yum.repos.d/MariaDB_10_3.repo << EOF
# MariaDB 10.3 CentOS repository list - created 2019-06-20 15:41 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.3/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF
yum -y install MariaDB-server MariaDB-client

Install snmpd

cat > /etc/snmp/snmpd.conf << EOF
# Map 'readsys' community to the 'ConfigUser'
# Map 'readall' community to the 'AllUser'
# sec.name source community
com2sec ConfigUser default readsys
com2sec AllUser default readall

# Map 'ConfigUser' to 'ConfigGroup' for SNMP Version 2c
# Map 'AllUser' to 'AllGroup' for SNMP Version 2c
# sec.model sec.name
group ConfigGroup v2c ConfigUser
group AllGroup v2c AllUser

# Define 'SystemView', which includes everything under .1.3.6.1.2.1.1 (or .1.3.6.1.2.1.25.1)
# Define 'AllView', which includes everything under .1
# incl/excl subtree
view SystemView included .1.3.6.1.2.1.1
view SystemView included .1.3.6.1.2.1.25.1.1
view AllView included .1

# Give 'ConfigGroup' read access to objects in the view 'SystemView'
# Give 'AllGroup' read access to objects in the view 'AllView'
# context model level prefix read write notify
access ConfigGroup "" any noauth exact SystemView none none
access AllGroup "" any noauth exact AllView none none
EOF

To start snmpd: systemctl start snmpd. ('stop' to turn off)

To enable snmpd at boot: systemctl enable snmpd. ('disable' to disable).

Yce user creation and bash and vim profile settings

# create the group with gid 8000

groupadd -g 8000 nms

# create a user with group nms with a home directory and no group yce

useradd -g nms -m -u 8000 -s /bin/bash yce

# set the password for user yce

passwd yce

# .bash_profile for yce user:

# .bash_profile
#
# NetYCE, 2018
#

"export LC_ALL=C"

if [ -r "/opt/yce/system/go" ]; then
    export RDEV="devel6"
    source "/opt/yce/system/go"
else
    echo "Skipping 'go'"
fi

export PATH="$PATH:/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin:/opt/yce/bin:/opt/yce/system:."

export LD_LIBRARY_PATH="/lib:/usr/lib:/usr/local/lib"
export LC_CTYPE="en_US.UTF-8"
export LC_ALL=C
export EDITOR=vi

if [ "${TERM}x" = "x" ]; then
    export TERM=ansi
    stty erase ^?
fi
if [ "$TERM" = "ansi" ]; then
    stty erase ^H
fi

set -o emacs
umask 0002

export PS1='\e[32m\u@\h\e[0m \w\n\$ '

if [ -f /etc/DIR_COLORS ]; then
    # eval `dircolors -b /etc/DIR_COLORS | sed 's/di=01;93/di=01;34/'`
    alias ls='ls -N --color=tty -T 0 '
fi

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
    . ~/.bashrc
fi

alias perl='/opt/ycelib/perl/bin/perl'
alias perldoc='/opt/ycelib/perl/bin/perldoc'
alias srch='/opt/yce/system/tools/srch.pl'
alias l='ls -lF'
alias ll='ls -laF'
alias lc='ls -CaF'
alias lr='ls -latrF'
alias o='less'
alias grep='grep --color=auto'
alias gerp='grep'
alias cp='cp -i'

# .bashrc for yce

cat >> /home/yce/.bashrc << EOF
# User specific aliases and functions
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi
EOF

# .vimrc for yce

cat > /home/yce/.vimrc << EOF
set ts=4
set sw=4
set ai
set noerrorbells
set formatoptions-=r

EOF

.bash_profile and .vimrc for root user:

# .bash_profile
#
# NetYCE, 2018
#

if [ -r "/opt/yce/system/go" ]; then
    export RDEV="devel6"
    source "/opt/yce/system/go"
else
    echo "Skipping 'go'"
fi

export PATH="$PATH:/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin:/opt/yce/bin:/opt/yce/system:."

export LD_LIBRARY_PATH="/lib:/usr/lib:/usr/local/lib"
export LC_CTYPE="en_US.UTF-8"
export LC_ALL=C
export EDITOR=vi

if [ "${TERM}x" = "x" ]; then
    export TERM=ansi
    stty erase ^?
fi
if [ "$TERM" = "ansi" ]; then
    stty erase ^H
fi

set -o emacs
umask 0002

export PS1='\e[32m\u@\h\e[0m \w\n\$ '

if [ -f /etc/DIR_COLORS ]; then
    # eval `dircolors -b /etc/DIR_COLORS | sed 's/di=01;93/di=01;34/'`
    alias ls='ls -N --color=tty -T 0 '
fi

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
    . ~/.bashrc
fi

alias perl='/opt/ycelib/perl/bin/perl'
alias perldoc='/opt/ycelib/perl/bin/perldoc'
alias srch='/opt/yce/system/tools/srch.pl'
alias l='ls -lF'
alias ll='ls -laF'
alias lc='ls -CaF'
alias lr='ls -latrF'
alias o='less'
alias grep='grep --color=auto'
alias gerp='grep'
alias cp='cp -i'

echo "  "
if [ -x "/opt/yce/system/net_setup.pl" ]; then
        /opt/yce/system/net_setup.pl
else
        echo "ERROR: cannot start net_setup.pl"
fi

echo "  "
echo "  You can setup the networking by logging in "
echo "  as 'root' or using"
echo "    /opt/yce/system/net_setup.pl"
echo "  "
echo "  YCE setup can be restarted as 'yce' user using"
echo "    /opt/yce/system/yce_setup.pl"
echo "  "

# .bashrc

cat >> ~/.bashrc << EOF
# User specific aliases and functions
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi
EOF

# .vimrc for root

cat > ~/.vimrc << EOF
set ts=4
set sw=4
set ai
set noerrorbells
set formatoptions-=r
EOF

Sudo setup

A couple of 'services' will be installed for NetYCE:

- yce_psmon
- httpd
- mysql
- vsftpd

Of these, yce_psmon and httpd require 'root' permissions to start.
Since all application maintenance will (or should) be executed using the functional user 'yce', sudo should be setup to permit this.
The default setup expects /sbin/service to be available for the 'yce' user. Execution should not require a password.

Add the following using visudo, remove any mention of sudoers.d (if present) at the end of the file:

# Yce
Cmnd_Alias YCE = /opt/yce/system/init/yce_tftpd
# Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/updatedb, /bin/ping
# Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall, /usr/bin/pkill
# Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool, /usr/sbin/ip, /usr/sbin/dhclient, /usr/sbin/iptables, /usr/sbin/ifstat, /sbin/iwconfig, /usr/sbin/ethtool

# Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp

 Cmnd_Alias SHELLS = /bin/sh,/bin/bash
 Cmnd_Alias SU = /bin/su
 Cmnd_Alias LOGIN = /bin/login
 Cmnd_Alias REBOOT = /usr/bin/reboot
 Cmnd_Alias SHUTDOWN = /usr/bin/poweroff, /usr/bin/halt, /sbin/shutdown

Defaults    !requiretty

#==== YCE user group 'nms'
# Below are a few examples. 
# For production the MINIMUM profile might be a good start.
# For testing, the MAINTENANCE is regularly used.

# MINIMUM
# No password required for YCE applications, ALL other applications are allowed with a password.
%nms ALL = PASSWD:ALL, NOPASSWD:YCE

# MAINTENANCE
# No password required for YCE applications and services and processes. NO other applications are allowed to run at all!
# %nms ALL=NOPASSWD:YCE, SERVICES, PROCESSES

# Same, but all applications are allowed if you know the password.
# %nms ALL=NOPASSWD:YCE, SERVICES, PROCESSES, PASSWD:ALL


# DEVELOPMENT
# %nms ALL=NOPASSWD:SOFTWARE, YCE, SERVICES, PROCESSES, PASSWD:ALL
# %nms ALL=NOPASSWD:DELEGATING, NETWORKING, SOFTWARE, YCE, SERVICES, PROCESSES, PASSWD:ALL
# %nms ALL=NOPASSWD:ALL

bash_aliases for root

put the following in /root/.bash_aliases:

export PAGER="less"
export EDITOR="vim"
alias l='ls -CF'
alias ll='ls -lhF'
alias llt='ls -latrF'
alias lr='ls -latrF'
alias la='ls -ahF'
alias lla='ls -lahF'
alias lc='ls -CaF'
alias p='ping'
alias pst='ps axjf'
alias t='telnet'
alias n='nslookup'
alias o='less'
if [ -x /usr/bin/vim ]; then
  alias vi='vim'
fi
alias grep='grep --color=auto'
alias gerp='grep'
alias ip='ip --color'
alias ip4='ip -4 --color --brief addr | grep -v UNKNOWN'
alias ip6='ip -6 --color --brief addr | grep -v UNKNOWN'

# other
alias add='/opt/yce/system/patches/vendor_support.pl add'
alias perl='/opt/ycelib/perl/bin/perl'
alias perldoc='/opt/ycelib/perl/bin/perldoc'
alias srch='/opt/yce/system/tools/srch.pl'

Httpd

# enable the httpd service at startup

sudo systemctl enable httpd

# this creates the following symlink:

Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service

# mv ssl, nss, manual out of the way

sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.unwanted
sudo mv /etc/httpd/conf.d/nss.conf /etc/httpd/conf.d/nss.conf.unwanted
sudo mv /etc/httpd/conf.d/manual.conf /etc/httpd/conf.d/manual.conf.unwanted

# This should actually be done in yce_setup.pl, it is dependent on the choice for SSL/https.

sudo mv /etc/httpd/conf.modules.d/00-ssl.conf /etc/httpd/conf.modules.d/00-ssl.conf.unwanted

# put a '#' in front of every line in welcome.conf. If the file is deleted, it will be put back after an upgrade of apache

sudo sed -i -e 's/^/# /' /etc/httpd/conf.d/welcome.conf

# suexec wasn't active on centos6, so disabled it as well on centos7. Eric, is this required?

sudo sed -i -e 's@^LoadModule suexec_module modules/mod_suexec.so@# LoadModule suexec_module modules/mod_suexec.so@' /etc/httpd/conf.modules.d/00-base.conf

Setup the perl env.

# copy the perl bin to the new system

sudo mkdir /opt/ycelib
sudo chown yce:nms /opt/ycelib
sh yceperl_7.0.2.bin 		# as yce user, no sudo!

Cron

it seems like there is no entry for the yce user needed in /etc/cron.allow for the user to be able to create crontab entries

Yce directories

as yce user

sudo mkdir /var/opt/yce
cd /var/opt/yce
sudo mkdir backup configs download jobs logs output
sudo chown -R yce:nms /var/opt/yce/

Ycicle user

# use the UID and GID from this user for the following cmd (if you followed this installation guide both values will be 8000)

cat /etc/passwd | grep yce  
useradd -M -d /var/opt/shared -s /bin/bash -o -u 8000 -g 8000 ycicle
passwd ycicle

prevent expiry

/usr/bin/passwd -n 0 -x 99999 -i -1 ycicle

make sure the shell of ycicle user is set to /bin/MySecureShell

Vsftpd

replace the contents of /etc/vsftpd/vsftpd.conf with the following:

# NetYCE 2019

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=002
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/opt/yce/logs/ftpxfer.log
vsftpd_log_file=/var/opt/yce/logs/ftplog.log
xferlog_std_format=YES
chroot_list_enable=YES
listen=NO
listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

local_root=/var/opt/shared
secure_chroot_dir=/var/opt/shared
chown_username=yce.nms
guest_enable=NO
force_dot_files=NO
hide_file={.yce_prop}
delete_failed_uploads=YES
log_ftp_protocol=NO

and the following in /etc/vsftpd/chroot_list:

ycicle

put the following in /etc/ssh/sshd_config:

#   $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

UseDNS no

# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server
# Subsystem sftp    internal-sftp

Match User ycicle
#    ChrootDirectory /var/opt/shared
#    ForceCommand internal-sftp
#    ForceCommand /opt/yce/bin/cpsh.pl
    AllowTCPForwarding no
    X11Forwarding no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   ForceCommand cvs server

Create the following in /etc/ssh/sftp_config
The limited download speeds (100mbps global and 10mbps per session) are intended as guidelines to prevent multiple OS-file transfers to consume too much bandwidth. These values can be adjusted to suit server and network capabilities.

## MySecureShell Configuration File ##
# NetYCE 2019

# Default rules for everybody
<Default>
        GlobalDownload          100m    #total speed download for all clients
                                        # o -> bytes   k -> kilo bytes   m -> mega bytes
        GlobalUpload            0       #total speed upload for all clients (0 for unlimited)
        Download                10m     #limit speed download for each connection
        Upload                  0       #unlimited speed upload for each connection
        StayAtHome              true    #limit client to his home
        VirtualChroot           true    #fake a chroot to the home account
        LimitConnection         50      #max connection for the server sftp
        LimitConnectionByUser   50      #max connection for the account
        LimitConnectionByIP     50      #max connection by ip for the account
        Home                    /var/opt/shared/
        Shell                   /opt/yce/bin/cpsh.pl
        IdleTimeOut             30m     # disconnect idle client after 30 min
        ResolveIP               false   #resolve ip to dns
        IgnoreHidden            true    #treat all hidden files as if they don't exist
        DirFakeUser             true    #Hide real file/directory owner (just change displayed permissions)
        DirFakeGroup            true    #Hide real file/directory group (just change displayed permissions)
        DirFakeMode             0400    #Hide real file/directory rights (just change displayed permissions)
                                        #Add execution right for directory if read right is set
        HideNoAccess            true    #Hide file/directory which user has no access
#       MaxOpenFilesForUser     20      #limit user to open x files on same time
#       MaxWriteFilesForUser    10      #limit user to x upload on same time
#       MaxReadFilesForUser     10      #limit user to x download on same time
        DefaultRights           0640 0750       #Set default rights for new file and new directory
#       MinimumRights           0400 0700       #Set minimum rights for files and dirs
        ShowLinksAsLinks        false   #show links as their destinations
        ConnectionMaxLife       2h      #limits connection lifetime to 2 hours
#       Charset                 "ISO-8859-15"   #set charset of computer
</Default>

<User ycicle>
        Shell                   /opt/yce/bin/cpsh.pl
        Home                    /var/opt/shared/
        VirtualChroot           true
        ResolveIP               false
        IgnoreHidden            true
        ShowLinksAsLinks        false
</User>

#Include /etc/my_sftp_config_file       #include this valid configuration file

Create network config files

before we start this, run the yce binary and just enter through everything so that all directories will get created and files will be put in place, as root (filename may differ ofcourse):

sh yce_7.1.1_20190522.bin

At the moment net_setup.pl only supports centos6, therefore we need to create the network config files manually: revise the information below to suit your situation.

IP=192.168.56.101
HOSTNAME=rhel7
DOMAIN=netyce.org
IFNY=enp0s8
IFNAT=enp0s3

HWADDRNY=08:00:27:DF:B5:07
DNS1=8.8.8.8
DNS2=8.8.4.4
cat > /opt/yce/etc/net_setup.xml << EOF
<setup>
  <local name="accounts" root_password="initialized at 2015-04-01 09:00:30" yce_password="initialized at 2015-04-01 09:00:37" />
  <local name="host" application_if="$IFNY" domainname="${DOMAIN}" fqdn="${HOSTNAME}.${DOMAIN}" hostname="${HOSTNAME}" networking="yes" ntpaddress="149.210.205.44" />
  <local name="net">
    <$IFNAT bootproto="dhcp" device="$IFNAT" dhcphostname="${HOSTNAME}.${DOMAIN}" gatewaydev="$IFNAT" ipv4address="10.0.3.15" ipv4gateway="10.0.3.2" ipv4netmask="255.255.255.0" ipv4network="10.0.3.0" ipv4prefix="24" macaddress="08:00:27:e4:c0:79" name="$IFNAT" nmcontrolled="yes" onboot="yes" peerdns="yes" primarydns="$DNS1" secondarydns="$DNS2" type="Ethernet" />
    <$IFNY bootproto="static" device="$IFNY" dhcphostname="" gatewaydev="$IFNAT" ipv4address="$IP" ipv4gateway="automatic" ipv4netmask="255.255.255.0" ipv4network="192.168.56.0" ipv4prefix="24" macaddress="$HWADDRNY" name="$IFNY" nmcontrolled="yes" onboot="yes" peerdns="yes" primarydns="$DNS1" secondarydns="$DNS2" type="Ethernet" />
  </local>
</setup>
EOF

# YCE setup

cat > /opt/yce/etc/yce_setup.xml << EOF
<setup>
  <override>
    <configs crontab="update" httpd="update" mojo="update" network="keep" />
    <daemons yce_ibd="disable" yce_nccmd="enable" />
  </override>
  <yce name="$HOSTNAME">
    <database database_id="1" type="mysql" />
    <host domainname="$DOMAIN" fqdn="${HOSTNAME}.${DOMAIN}" hostname="$HOSTNAME" />
    <httpd mode="root" proto="http" type="apache" urlbase="name" />
    <login domainname="$DOMAIN" expire="10" />
    <mojo port="8080" server="mojo" />
    <morbo port="3000" />
    <net ipv4="$IP" />
    <roles database="yes" frontend="yes" />
    <wiki domain="netyce.com" ip="" local="no" name="wiki" proto="http" />
    <yce_db primary_db="$HOSTNAME" secondary_db="" />
  </yce>
</setup>
EOF

make sure the ownership of yce_setup.xml and net_setup.xml is yce:nms

tool_setup.xml

cat > /opt/yce/etc/tool_setup.xml << EOF
<!--
=== Scheduler and job tool configuration file ===

See the NetYCE wiki article for a detailed description:
  http://wiki.netyce.com/doku.php/operate:jobs:job_configuration

Currently supported job_type names:
	command_job 
	basic_cmd_job
	startup_cfg
	reload_node
	connect_dce
	RXvlan_job
	port_config - does not use scheduler: no approvals apply
	os_upgrades

Job types not listed above currently will use the <default> job definitions. Support 
will be incorporated in ongoing releases.

Job-types not configured explicitly below will also use the <default> job definitions.

All variables not configured explicitly in their <job_type> definitions will 
be lifted from the <default> definition.

-->
<tool_setup>

	<queues>
		<queue name="evpn" done_age="180" cancel_age="1800" job_int="20" max_run="50" max_wait="3600" />
		<queue name="ios" done_age="180" cancel_age="1800" job_int="5" max_run="20" max_wait="3600" />
		<queue name="yce" done_age="180" cancel_age="1800" job_int="2" max_run="50" max_wait="3600" />
	</queues>

	<defaults job_type="default" queue="yce">
		<auditors levels="3456" />
		<notify pending="yes" cancel="yes" suspend="yes" />
		<approvals name="1" levels="" threshold="0" limit="0" />
		<approvals name="2" levels="" threshold="0" limit="0" />
		<approvals name="3" levels="" threshold="0" limit="0" />
		<approvals name="4" levels="" threshold="0" limit="0" />
		<approvals name="5" levels="" threshold="0" limit="0" />
		<approvals name="6" levels="" threshold="0" limit="0" />
		<change_id option="1" hint="C000xxxxxx">
			<validation>^C000(\d){6}$</validation>
			<validation>^O000(\d){6}$</validation>
			<validation>^O000(\d){6}\-(\d){3}$</validation>
		</change_id>
	</defaults>

	<command_job job_type="command_job" queue="yce">
		<auditors levels="3456" />
		<notify pending="yes" cancel="yes" suspend="yes" />
		<approvals name="2" levels="" threshold="0" limit="0" />
		<approvals name="3" levels="" threshold="0" limit="0" />
		<approvals name="4" levels="" threshold="0" limit="0" />
		<approvals name="5" levels="" threshold="0" limit="0" />
		<approvals name="6" levels="" threshold="0" limit="0" />
		<change_id option="1" hint="C000xxxxxx">
			<validation>^C000(\d){6}$</validation>
			<validation>^O000(\d){6}$</validation>
			<validation>^O000(\d){6}\-(\d){3}$</validation>
			<validation>^T000(\d){6}$</validation>
		</change_id>
	</command_job>

	<startup_config job_type="startup_config">
		<change_id hint="T000xxxxxx">
			<validation>^T000(\d){6}$</validation>
		</change_id>
	</startup_config>

	<RXvlan_job job_type="RXvlan_job" queue="evpn">
	</RXvlan_job>

	<os_upgrades job_type="os_upgrades" queue="ios">
	</os_upgrades>

</tool_setup>
EOF

/var/opt/shared/ directory

make sure /var/opt/shared is owned by root:root and has 755 rights

/var/opt/shared/public has to be owned by yce:nms and also have 755 rights

Systemctl config files

run the binary again, this time we should be able to generate config files:

sh yce_7.1.1_20190522.bin

# httpd

cp /opt/yce/etc/rhel7_httpd.conf /etc/httpd/conf.d/yce.conf

mkdir /etc/systemd/system/httpd.service.d
cp /usr/lib/systemd/system/httpd.service /etc/systemd/system

cp /opt/yce/system/init/httpd.service.d-yce.conf /etc/systemd/system/httpd.service.d/yce.conf

systemctl daemon-reload

systemctl restart httpd

# MariaDB

cp /opt/yce/etc/rhel7_mysql.conf /etc/my.cnf
cp /usr/lib/systemd/system/mariadb.service /etc/systemd/system/
mkdir /etc/systemd/system/mariadb.service.d
cp /opt/yce/system/init/mariadb.service.d-yce.conf /etc/systemd/system/mariadb.service.d/yce.conf

systemctl daemon-reload

Systemctl psmon

root@rhel7 /etc/systemd/system # cp /opt/yce/system/init/yce_psmon.service . 

systemctl daemon-reload 
systemctl stop yce_psmon

Install the binary

sh yce_7.1.1_20190522.bin
Backup and Extraction will use /usr/bin/openssl and /usr/bin/gtar
Will extract to '/var/tmp/yce_install/YCE_7.1.1_20190522'
Skipping rollback archive: file exists 'YCEsrc_rhel7_20190806.des3'
Starting YCE installation verifications
Located YCE perl. Good
Installing YCE with 'root' privileges
Verifications complete
Found installation YCE manifest file '/var/tmp/yce_install/YCE_7.1.1_20190522/YCE_7.1.1_20190522.xml'. Good
Reading manifest '/var/tmp/yce_install/YCE_7.1.1_20190522/YCE_7.1.1_20190522.xml'
Parsing manifest parameters
Looking for existing YCE configuration
Loading existing YCE configuration
Will perform installation update in '/opt/yce'
Continue to do an UPDATE install?  [Y] Y
Located YCE license file '/opt/yce/etc/yce_license'
Location of 'yce_license'?  [/opt/yce/etc/yce_license]

Will use YCE license file '/opt/yce/etc/yce_license'. Good
   License registered to 'netYCE'
OK: License will not expire until '20191231'
   /var/tmp/yce_install/YCE_7.1.1_20190522/YCE_7.1.1_20190522.xml version = 7.1.1
License version '7' matches distribution version '7.1.1'. Good
You have licences for:
   IOS
   Rabo_spc
   NCCM
   Ziggo_sp
   Infoblox
   Netcool
   YCE
   Vancis_s
Found YCE distribution archive '/var/tmp/yce_install/YCE_7.1.1_20190522/YCEsrc_7.1.1_20190522.des3'. Good
Scanning build information of previous installed manifests
WARNING: Missing manifest file of previous installation
Must perform an initial install using interactive shell
Cannot continue using automatic updates - must perform first install
Error found. Continue? y
Starting package installations
yce_core (1)
nccm (2)
c3_connect (3)
rabo_dns_uitwijk (4)
dce_connect (5)
netcool_reporter (6)
ziggo_ipvpn (7)
rabo_wlc_poller (8)
netcool_services (9)
rabo_cmdb (10)
infoblox_dhcp (11)
rabo_systems (12)
os_upgrades (13)
rn3_evpn_failover (14)
netcool_mes (15)
infoblox_dns (16)
rabo_acs_update (17)
rabo_webcheck (18)
rn3_central (19)
rn3_sla (20)
Removing unlicensed package 'compliancy', requiring license 'Compliancy'
File installation complete
Do you want to create config files at this time?  [Y]
Starting configuration creation
-- ----------------------------------------
-- Starting 'yce_setup' interactive
--   operating system: CentOS (7.6.1810)
--   read network setup: '/opt/yce/etc/net_setup.xml'
--   read yce setup: '/opt/yce/etc/yce_setup.xml'
WARNING: No NetYCE database can be reached
YCE servers currently in setup:
  #  Hostname         IP-address           FQDN
* 0) rhel7            192.168.56.103       rhel7.netyce.org
  Select the server# to Remove, or 'A' to add, 'C' to continue: [C]
YCE server roles:
  #  Hostname         Front-end    SSL     HTTPD     URL      Mojo     Database     Id
* 0) rhel7            yes          http    root      name     8080     yes          1
  Select the server# to change, 'C' to continue: [0] C
YCE server database mapping:
  #  Hostname         Db-Id    Primary          Secondary
* 0) rhel7            1        rhel7
  Select the server# to change, 'C' to continue: [0] C
Login setup:
    Domain name for login (single-sign-on cookie)? [netyce.org]
    Hours until Login session expiry (single-sign-on cookie)? [10]
Login setup:
  Single-sign-on domain          Expire (hrs)
  netyce.org                     10
Wiki setup:
    'rhel7' will use the NetYCE public Wiki server? [Y]
-- New setup
#
# YCE Server overview:
# Name         Domain               IP-address      Database Front-end Primary-db   Secondary-db
# ----         ------               ----------      -------- --------- ----------   ------------
# rhel7        netyce.org           192.168.56.103   id=1    yes       rhel7
#
-- Saved setup in '/opt/yce/etc/yce_setup.xml'
Create the YCE, httpd, and mysql configuration files for the this system
* 0)  'rhel7'
  Create configuration for local server (y/n) ? [Y]
-- Create configs for server 'rhel7'
-- Yce: /opt/yce/etc/rhel7_yce.conf
WARNING vsftpd_conf: 'vsftpd_conf': psmon not running
WARNING sftp_conf: 'sftp_conf': psmon not running
WARNING vsftpd_chroot: 'vsftpd_chroot': psmon not running
WARNING sshd_conf: 'sshd_conf': psmon not running
    cannot support 'sftp'
    cannot support 'scp'
    cannot support 'ftp'
    can support 'tftp'
-- Mojo: /opt/yce/htdocs/angular/app/host.js
--   mojo url set to 'http://rhel7.netyce.org:8080/'
--   wiki url set to 'http://wiki.netyce.com/'
--   cacheswap 'rhel7' now at '201908060618'
-- Yce_psmon: /opt/yce/etc/rhel7_psmon.conf
ERROR: No sudo permissions available
ERROR: No sudo permissions available
ERROR: No sudo permissions available
ERROR: No sudo permissions available
-- Crontab: /opt/yce/etc/rhel7_crontab.conf
-- Httpd: /opt/yce/etc/rhel7_httpd.conf
-- Mysql: /opt/yce/etc/rhel7_mysql.conf
--   mysql version is '10.3.17'
--   mysql key_buffer set to '202M'
--   mysql tmpdir set to '/var/tmp'
-- Updating 'rhel7' menu-tree (C)
--   Creating menus for the role(s): "frontend","database"
--   Renewed the menu tree using the default
--   Updating 'rhel7' encryption keys
--   Updating scenario syntax highlighting file
-- Renewing NMS table permissions
-- Updating 'rhel7' my.cnf
WARNING: psmon copy failed (not running)
-- Daemons to restart: yce_psmon mysqld yce_tftpd yce_skulker yce_sched yce_nccmd yce_ibd morbo mojo
-- Relaunching NetYCE daemons...
-- yce_psmon:
     start: yce_psmon start
     wait start 'yce_psmon':
-- mysqld:
     start: mysql start
     wait start 'mysqld':
-- yce_tftpd: 3165
     stop: /bin/sudo /opt/yce/system/init/yce_tftpd stop
     wait stop 'yce_tftpd':
     start: /bin/sudo /opt/yce/system/init/yce_tftpd start
     wait start 'yce_tftpd': 3668
-- yce_skulker: 3185
     stop: /opt/yce/system/init/yce_skulker stop
     wait stop 'yce_skulker': 3185
     wait stop 'yce_skulker':
     start: /opt/yce/system/init/yce_skulker start
     wait start 'yce_skulker': 3691
-- yce_sched: 3207
     stop: /opt/yce/system/init/yce_sched stop
     wait stop 'yce_sched':
     start: /opt/yce/system/init/yce_sched start
     wait start 'yce_sched': 3713
-- yce_nccmd:
     start: /opt/yce/system/init/yce_nccmd start
     wait start 'yce_nccmd': 3725
-- yce_ibd:
     # disabled
-- morbo:
     # disabled
-- mojo: 3305 3306 3307 3308 3309 3310 3311
     stop: /opt/yce/system/init/yce_mojo stop
     wait stop 'mojo':
     start: /opt/yce/system/init/yce_mojo start
     wait start 'mojo': 3798 3799 3800 3801 3802 3803 3804
-- done
Relaunching XCH API...
  Stopping daemon 'yce_xch': 3347
  Starting daemon 'yce_xch'
-- Completed
SKIPPING PATCH INSTALL
  The patches MUST be installed when the YCE database is operational
  Patches must be installed using:
   '/opt/yce/system/patches/patch_install.pl'
Installation completed
Exiting installation. Cleanup
Cleanup YCEsrc_7.1.1_20190522
Completed - 1 Errors detected

Database import

put database in place, I assume you made a .tgz of the /var/opt/mysql dir of a running NetYCE you want to migrate.

systemctl disable mariadb
sytemctl stop mariadb

check if there is a .conf file is present in the following dir /etc/systemd/system/mariadb.service.d/ ifso delete it:

rm migrated-from-my.cnf-settings.conf

Make sure /var/opt/mysql/ is empty before copying your database into it, in my case I extracted a database in /home/yce/var/opt/mysql/:

rm -rf /var/opt/mysql/*
cp -a /home/yce/var/opt/mysql/* /var/opt/mysql/
sudo systemctl enable mariadb
sudo systemctl start mariadb

If you see a message like “Warning: mariadb.service changed on disk. Run 'systemctl daemon-reload' to reload units.” check with

ps -axuf | grep mysql

if it's really running or not, because as I am writing this this seems to be a false message and the daemon is actually running.

after database is running, as yce user:

go patches
./patch_install.pl

you might encounter the following:

    [18112302]   ERROR: Failed to create Ipv6_map_view Ipv6_map_view: "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error"
    [18112302] Adding Mgmt_addr column to Ipv6_map table failed
ERROR: Patch '18112302' failed

    [19022703]  ERROR: Failed to create Ipv6_map_view Ipv6_map_view: "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error"
    [19022703] renewing Ipv6_map_view view failed
ERROR: Patch '19022703' failed

    [19022707]  ERROR: Cannot create view 'Ipv6_subnet_view': "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error"
    [19022707] Updating Ipv6 subnet view failed
ERROR: Patch '19022707' failed

fix this by doing the following:

$ mysql_upgrade -u netYCE -p
Enter password:

Phase 1/7: Checking and upgrading mysql database
Processing databases

(I will skip all output that says OK, because there's a lot of that)

Phase 2/7: Installing used storage engines... Skipped
Phase 3/7: Fixing views
YCE.Ipv6_prefix_view
Error    : Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error
error    : Corrupt

run

yce_setup.pl -r 

to regenerate the configuration

somehow vsftpd doesnt get started at this moment, so for the time being:

sudo systemctl enable vsftpd
sudo systemctl start vsftpd
maintenance/general/installing_netyce_on_rhel7.txt · Last modified: 2019/11/27 16:41 by yspeerte